By Gordon McNeil
Certification to the ISO 9001 standard is often a minimum customer requirement for external product and service providers and their sub-tiers. As organizations seek to identify, minimize, and mitigate supply chain risk, there is an increasingly heavy reliance upon such a certificated management standard to assist with this, along with the independent assessments carried out by a certification body (CB).
Auditors who spend most of their time carrying out second-party audits on behalf of their employer know that certification is by no means a silver bullet. After all, if having certification resulted in continual compliance to the standard, audits would not be necessary, and the standard would not mandate internal auditing.
The diagram in the figure below shows the results of data spanning a six-year period (2014 to 2019), resulting from a total of 100 customer audits of suppliers to a defense contractor. This period was chosen to capture audits carried out by a dedicated supply chain quality team working for the customer, ensuring consistency of the process. The data for third-party audits (captured by CBs) was obtained by reviewing the audit reports of those same suppliers at the time of carrying out the customer audits.
Percentage of audits raising non-conformities against ISO 9001 clauses 8.2 and 8.4 during second- and third-party audits
The two ISO 9001 clauses selected from the findings of these 100 audits (8.2 “Requirements for products and services” and 8.4, “Control of externally provided processes, products and services”) are due to their importance to the customer, and because of the frequency with which they were found not being implemented in line with the ISO 9001 standard. The non-conformities raised during the time of ISO 9001:2008 have been converted to the equivalent ISO 9001:2015 clauses.
With regards to the quantitative data (as seen in the figure), there are significant instances of non-conformity from a customer’s perspective. Almost one third of the second-party audits carried out during this period found the suppliers’ review of contracts and customer requirements to fall short of compliance with the standard, and more than half of second-party audits did not adequately demonstrate control over their supply chain. However, when looking for the equivalent evidence from third-party audits, these were only zero and three per cent, respectively. It is unclear at this time why such discrepancies exist, and it is hoped a wider audience may generate discussion around possible causes and potential solutions.
The significance of these potential risks should not be underestimated. Having recognized that the outsourcing of products and services introduces additional risk, regulators and authorities are also taking a keen interest in operators’ supply chains.
In light of these findings, you may wish to consider the following:
- Does an audit by an “interested party” introduce bias?
- Does auditing as a paid service reduce objectivity?
- Is there sufficient oversight by accreditation bodies?
- Would ISO 9001 benefit from a clause on external audits in addition to internal audits?
- Should the management review outputs be more explicit and in line with management review inputs?
- Is there a tendency to associate audit results in management review inputs only with internal audits?
If quality management system certification continues to be the basis for supplier approval for many organizations, I suggest customers need to supplement this with continued vigilance and targeted surveillance activities, perhaps by including second-party audits. The two clauses discussed above highlight examples where risks exist for customers and where interpretation of the ISO 9001 standard can either identify them or not, depending on viewpoint.
Advantages of second-party audits
Second-party audits are a valuable tool, strengthening an organization’s supply chain and verifying that current or proposed suppliers have the capability to meet or exceed their customer’s requirements. By the very act of outsourcing a product or service, an organization relinquishes some degree of control; it is imperative that this risk is managed.
The emphasis placed on risk-based thinking and meeting customer requirements by the latest ISO 9001 standard can only be a positive step. However, the data suggests that there is more work to be done to ensure that all auditors interpret compliance to the standard in the same way.
About the author
Gordon McNeil, CQP MCQI, is an IRCA principal auditor.